We are struggling a little bit with understanding how roles and permissions works in Cerbos. I come from an Auth0 world where you basically define a set of permissions (usually looking something like this

document:read

) and then bundle these up into dynamic roles. You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?

you absolutely can do this, i had a similar use case so here’s an example:

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: "batching_group"
  rules:		
    - actions: ['delete']
      effect: EFFECT_ALLOW
      roles: ['*']
      condition:
        match:
          expr: ("delete:batching_group" in request.aux_data.jwt.claims)

Alright but where would the roles be constructed in such a scenario? That would need to be handled outside of Cerbos?

Roles are usually managed by an identity provider (IdP) such as Auth0. When you write Cerbos policies, you simply refer to those IdP roles and define access rules for those. In your example, you're referring to how Auth0 allows you to add extra data points to roles to describe what they are allowed to do. You can keep using those existing role with Cerbos as Guillaume demonstrated above. Alternatively, you can stop adding those data points in Auth0 and define them in Cerbos policies instead.

- actions: ['document:read', 'document:write']
      effect: EFFECT_ALLOW
      roles: ['document_rw']

There's a write-up about this here: https://cerbos.dev/blog/context-aware-authorization-with-auth0-cerbos